New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jwall AuditConsole Outbound Anomaly Scoring Requirements #1276

Merged
merged 3 commits into from Jan 7, 2019

Conversation

Projects
None yet
3 participants
@emphazer
Copy link
Collaborator

emphazer commented Jan 3, 2019

here is a PR to keep Jwall AuditConsole compatible with CRS.

Without this PR the Outbound Score in the AC GUI will be always 0.

@emphazer emphazer requested a review from dune73 Jan 3, 2019

@dune73

This comment has been minimized.

Copy link
Collaborator

dune73 commented Jan 4, 2019

The naming of the anomaly scoring variables is quite a mess.

So JWall is specifically looking at tx.anomaly_score for the outgoing score and you bring this back after I thought I could get away with cleaning it up a bit for 3.1?

@emphazer

This comment has been minimized.

Copy link
Collaborator Author

emphazer commented Jan 4, 2019

@dune73
it took me 2days to dive through the mess.
finally i think i understood it now.
the AuditConsole matches on tx.anomaly_score and the phase.
i think we just need the setvar once in phase 4.

by the way.
we still set 2x the same score value variable +%{tx.error_anomaly_score} in our OUTBOUND rules.
for example: 950100

    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}',\

i think we just need tx.outbound_anomaly_score_pl1 here.

@lifeforms

This comment has been minimized.

Copy link
Collaborator

lifeforms commented Jan 4, 2019

Well spotted!

Could you add a few comments around the var settings to explain that we are setting this variable specifically for JWall AuditConsole? That will help against re-introducing the problem later on.

This bug could trip up more Jwall AuditConsole users, so I would be in favor of backporting and including in a 3.1.1 bugfix release.

@emphazer

This comment has been minimized.

Copy link
Collaborator Author

emphazer commented Jan 4, 2019

i just minimized it now.
it affects all v3.1&v3.2 users since the monitored paranoia level PR.

@lifeforms
sure i can do.
i just hope this little change here is okay for everybody.

@lifeforms lifeforms merged commit e2fcb4e into SpiderLabs:v3.2/dev Jan 7, 2019

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment